FUXA has a hardcoded fallback JWT signing secret

FUXA used a static fallback JWT signing secret frangoteam751 when no secretCode was configured. If authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication. This issue has been addressed in...

GHSA-C9Q6-G3HR-8GWW Jervis Has Weak Random for Timing Attack Mitigation

Vulnerability https://github.com/samrocketman/jervis/blob/157d2b63ffa5c4bb1d8ee2254950fd2231de2b05/src/main/groovy/net/gleske/jervis/tools/SecurityIO.groovyL593-L594 Uses java.util.Random which is not cryptographically secure. Impact If an attacker can predict the random delays, they may still be...

EUVD-2022-5968

Malicious code in bioql PyPI...

CLSA-2025-1758102713 nodejs: Fix of CVE-2025-22150

CVE-2025-22150: fix issue where undici used Math.random to choose boundary for multipart/form-data request, now uses secure random number generator...

Vision UI 安全特征问题漏洞

Vision UI is a UI component by the individual developer David Osipov. A security feature issue vulnerability exists in Vision UI version 1.4.0 and earlier, which stems from a 32-bit integer overflow in the getSecureRandomInt function, which may result in an uneven distribution of random numbers...

Fedora 42 : perl-Crypt-CBC (2025-f7bc7b789f)

The remote Fedora 42 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-f7bc7b789f advisory. This update, to the current upstream release version, includes a fix to source random numbers using the Crypt::URandom module rather than trying to read...

CVE-2025-48372 Schule Has Insecure OTP Length, is Susceptible to Brute-Force Attacks

Schule is open-source school management system software. The generateOTP function generates a 4-digit numeric One-Time Password OTP. Prior to version 1.0.1, even if a secure random number generator is used, the short length and limited range 1000–9999 results in only 9000 possible combinations...

PT-2025-18941 · Unknown +1 · Mojolicious +1

Name of the Vulnerable Software and Affected Versions: Mojolicious versions 7.28 through 9.39 Description: The issue concerns the generation of weak HMAC session secrets in Mojolicious for Perl. When creating a default app, a weak secret is written to the application's configuration file using th...

[SECURITY] Fedora 41 Update: perl-Crypt-URandom-Token-0.003-1.fc41

This module provides a secure way to generate a random token for passwords and similar using Crypt::URandom as the source of random bits...

[SECURITY] [DLA 4120-1] libnet-easytcp-perl security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4120-1 [email protected] https://www.debian.org/lts/security/ Andrej Shadura April 08, 2025 https://wiki.debian.org/LTS -...

CVE-2025-27551

CVE-2025-27551 affects DBIx::Class::EncodedColumn (Digest.pm) up to version 0.00032. The issue stems from salting password hashes with the non-cryptographically secure rand() function. Impact is described as: local attack vector and limited scope of exploitability within affected module until 0.0...

goTenna Pro ATAK Plugin 安全特征问题漏洞

The goTenna Pro ATAK Plugin is a plugin for goTenna's device that creates networks for off-grid communications and situational awareness. A security signature issue vulnerability exists in goTenna Pro ATAK Plugin version 1.9.12 and earlier, which stems from not using SecureRandom when generating...

WordPress Plugin Page Builder: KingComposer 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress Plugin Page Builder: KingComposer...

SUSE CVE-2014-0878

The IBMSecureRandom component in the IBMJCE and IBMSecureRandom cryptographic providers in IBM SDK Java Technology Edition 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 makes it easier f...

CVE-2022-29035

In JetBrains Ktor Native before version 2.0.0 random values used for nonce generation weren't using SecureRandom implementations...

GHSA-W3HJ-WR2Q-X83G Discovery uses the same AES/GCM Nonce throughout the session

Discovery uses the same AES/GCM Nonce throughout the session though it should be generated on per message basis which can lead to the leaking of the session key. As the actual ENR record is signed with a different key it is not possible for an attacker to alter the ENR record. Note that the node...

PT-2021-24354 · Consensys · Consensys Discovery

Name of the Vulnerable Software and Affected Versions: Consensys Discovery versions less than 0.4.5 Description: The issue arises from Consensys Discovery using the same AES/GCM nonce for the entire session, which should ideally be unique for every message. This can lead to the leaking of the...

PT-2021-15381 · Joomla · Joomla!

Name of the Vulnerable Software and Affected Versions: Joomla! versions 3.2.0 through 3.9.24 Description: An issue was discovered in the usage of the insecure rand function within the process of generating the 2FA secret. Recommendations: For versions 3.2.0 through 3.9.24, consider updating to a...

CVE-2018-18531

text/impl/DefaultTextCreator.java, text/impl/ChineseTextProducer.java, and text/impl/FiveLetterFirstNameTextCreator.java in kaptcha 2.3.2 use the Random rather than SecureRandom function for generating CAPTCHA values, which makes it easier for remote attackers to bypass intended access restrictio...

Debian DSA-3627-1 : phpmyadmin - security update

Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface. - CVE-2016-1927 The suggestPassword function relied on a non-secure random number generator which makes it easier for remote attackers to guess generated passwords via a brute-force approach. -...